HQ/EMEAFind out how we can help your business
Several threat actors have been leveraging Google Ads and adopting SEO poisoning tactics to spread the enterprise-targeting Bumblebee malware. The actors could push this malware through well-known software products such as ChatGPT, Citrix Workspace, Cisco AnyConnect, and Zoom.
Researchers initially discovered Bumblebee malware in April last year. The investigation initially claimed that the Conti group created the malware as a substitute for the BazarLoader backdoor to acquire initial access to targeted networks and conduct ransomware campaigns.
However, the latest version of the malware loader appeared in the wild in September 2022. The latest version featured a more elusive attack chain that uses the PowerSploit framework for DLL injection into memory.
On the other hand, a researcher recently observed a new campaign using Google Ads to endorse trojanised versions of popular applications to deliver the earlier-mentioned malware loader.
A Bumblebee malware campaign used fake software promoted on Google Ads.
One of the Bumblebee malware incidents adopted employed Google Ad to promote a fake Cisco AnyConnect download page earlier this year. The infection chain started with a compromised Google Ad that redirected users to a fake download page via a compromised WordPress website.
The fake landing page offered a trojanised MSI installer that installs Bumblebee malware. The malware copies a duplicate of the legitimate program installer and a deceptively named PowerShell script onto the user’s device upon execution.
However, the campaign sets up legitimate AnyConnect software and installs a legitimate application to avoid user suspicion. However, the PowerScrip script deploys Bumblebee malware and runs malicious activity on the infected device.
Furthermore, the PowerShell script includes a series of renamed functions copied from the PowerSploit script. In addition, it also contains an encoded Bumblebee payload that it reflectively loads into a targeted memory.
This detail shows that Bumble still utilises the same post-exploitation framework module to execute the malware into the memory without causing anomalies that could raise suspicions from AV solutions.
Researchers should study more about this current malware and campaign as it could pose a significant threat to more targets soon.
